On Mon, Sep 10, 2007 at 01:40:29PM -0700, Daniel L. Miller wrote:
> Alex Samad wrote:
>> On Sun, Sep 09, 2007 at 11:36:18PM -0700, Daniel L. Miller wrote:
>>> Hi!
>>> I'm trying to create a routed VPN using OpenVPN - and having trouble with 
>>> the routing concepts involved.  Let me see if I can properly describe my 
>>> current topology:
>>> Server -
>>> LAN, with both local workstations and remote bridged workstations on the
>>> network (this works without reservation).
>>>    Server located at,,, and few 
>>> others.
>>> Routed VPN, network.  Server is located at
>>>    Server can talk to clients, and clients can talk to server.
>>> My 1st goal is to allow selected server-side LAN workstations to reach 
>>> the routed VPN workstations.  The LAN should be invisible to the routed 
>>> VPN.
>>> My 2nd goal is to allow selected server-side LAN workstations to reach 
>>> networks server by routed VPN workstations as gateways [this involves 
>>> OpenVPN more, I believe].  The LAN should still be invisible to the 
>>> routed VPN.
>>> My server routing table is:
>>> dev tun0  proto kernel  scope link  src
>>> dev vmnet8  proto kernel  scope link  src
>>> via dev tun0
>>> dev eth0  proto kernel  scope link  src
>>> dev br1  proto kernel  scope link  src
>>> dev vmnet1  proto kernel  scope link  src
>>> via dev tun0
>>> default via dev eth0
>> I think you need to use a tap device (I currently have a similar setup, 
>> but I do not hide the LAN - infact I use openvpn to do site to site WAN)
>> By hide the LAN you don't want to the openvpn clients to see the 192.168 
>> addresses if that is the case this is more a iptables question you will 
>> need to nat the lan network going out, if you want in bound traffic you 
>> will need to setup natting on the way back in as well - static though.
> So do I need a source NAT directing all traffic intended for 
> from to come from
>> why do you want to hide the network - ?
> The VPN is to provide me a secure static connection to customer's sites.  
> However, those customers should be able to see neither each other, nor 
> reach our internal LAN - unless the connection is initiated from our side.
Okay then you just want out bound, pretend the customers site is the internet, 
SNAT should do it (and a firewall just to be safe), you should only need one on 
the client's openvpn side, but because that is not in direct controll of you 
(physcially), I would probably suggest snat'ting again on your openpvn server 
or the firewall rules


At your site

* Set routing either fix up the default route or add routing to each client 
 machine (the former being the easier of the 2)
* Set up a firewall
* setup SNAT or push a route through to the client 'push "route"' - done in the openvpn server config (the later is probably the 
better - stay away from the double natting )

one the customer site
* Set up SNAT hide everything coming from your site being the local lan address
* set up a firewall 

So all traffic coming from your site will end up on the customer site with a 
local lan address.

There is no routing back into your lan, because of a) routing b) firewall on 
the customer site c) firewall on the server.

a & b are easy to get around because they are at the customer site. C is where 
you protection is.


> -- 
> Daniel
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Attachment: signature.asc
Description: Digital signature

LARTC mailing list

Reply via email to